FortiSIEM Discussions
Ali_Maher
New Contributor II

FortiSIEM Database purpose

Hello Everyone,

hope all is well!

 

I am here as i am a little confused with the different types of the FSM database,

i totally understand that there are different types of database such as:

1- Event Database :- Store Security Events which comes from the data sources.

2- CMDB

3- SVN

4- Profile

 

I hope I can have more clarification about the three DBs (CMDB-SVN-Profile).

#FortiSIEM

BR, Ali Maher
BR, Ali Maher
1 Solution
Secusaurus
Contributor

Hello Ali,

 

Your questions are covered in the NSE training for FortiSIEM (FCP):

 

Event Database: Stores the events in an organized way, including the raw logs.

CMDB (Configuration Management Database): Stores the configuration of your SIEM: The things that are listed in the tab "CMDB" as well as all custom rules, resources, configurations, credentials, parsers and all the settings you made

SVN (Subversion Database): Stores current and historical device CLI-based configs (e.g. firewalls, routers, switches) and installed software on servers

Profile: Stores baseline datasets (mostly "buckets") which is then used for anomaly detection

 

They are distinct databases because they need different types and speeds for accessing them. Also, if you only have a CMDB backup, for example, you can restore your SIEM to a running state without having to backup terabytes of data.

 

Best,

Christian

FCP & FCSS Security Operations | Fortinet Advanced Partner

View solution in original post

FCP & FCSS Security Operations | Fortinet Advanced Partner
3 REPLIES 3
Secusaurus
Contributor

Hello Ali,

 

Your questions are covered in the NSE training for FortiSIEM (FCP):

 

Event Database: Stores the events in an organized way, including the raw logs.

CMDB (Configuration Management Database): Stores the configuration of your SIEM: The things that are listed in the tab "CMDB" as well as all custom rules, resources, configurations, credentials, parsers and all the settings you made

SVN (Subversion Database): Stores current and historical device CLI-based configs (e.g. firewalls, routers, switches) and installed software on servers

Profile: Stores baseline datasets (mostly "buckets") which is then used for anomaly detection

 

They are distinct databases because they need different types and speeds for accessing them. Also, if you only have a CMDB backup, for example, you can restore your SIEM to a running state without having to backup terabytes of data.

 

Best,

Christian

FCP & FCSS Security Operations | Fortinet Advanced Partner
FCP & FCSS Security Operations | Fortinet Advanced Partner
FSM_FTNT

Just to add to Secusaurus, the event database that we generally recommend will be ClickHouse.

Ali_Maher
New Contributor II

Thanks for the detailed answer, it's really appreciated!

 

I want to summarize that

CMDB -> Store the FortiSIEM configuration itself which can help restore the appliance to the last state.

SVN -> Store the configuration of the Discovery devices (FW -Router - ...) to check configuration changes on the log sources.

 

profile -> help to identify the anomalies.

 

Thanks in advance!

BR, Ali Maher
BR, Ali Maher